[adriaanmulder]

Hey Tom! I see in the security section it says "We secure your data at rest through a mechanism called tokenization, which ensures our systems only store references to your secrets. In the event of a data breach, attackers would only gain access to the references." If this is the case, then where are the secrets stored? How can you view the secrets from the web console if they aren't stored anywhere? Thanks!

[tompic823]

Great question! We tokenize all secrets and then store the tokens in our database. The raw secrets are stored with our tokenization provider, VGS. When you fetch your secrets, either via our dashboard or CLI, we exchange the token for the raw secret value and then relay that value in our response. This ensures that our infrastructure never persists raw secret values. You can find more information about this process in our Security docs [0].

[0] https://docs.doppler.com/docs/security-fact-sheet#data-flow-...

[adriaanmulder]

Thanks for the quick response. I think this should really be explicitly stated in the docs, along with a link to VGS. The diagram didn't make it obvious to me that the "security provider" block is actually storing the secrets, rather than just converting them into tokens.

[tompic823]

Thanks for that feedback, I completely agree. I've updated the linked page to mention this more explicitly.